Protect Yourself from PHP Worms

Don't just change your code to protect yourself from attacks such as the Santy or PHPInclude worms—change your tactics.

by Laurence Moroney

Jan 5, 2005

Page 1 of 3

n recent months it's become apparent that every computer system, regardless of operating system or programming language, bears a security risk. All computer software exposes attack surfaces to viruses and worms, and it is only a matter of time before they get attacked. Most recently, the bulk of security attacks have targeted Microsoft Windows and its Internet Information Services (IIS) Web server, but they aren't unique in their vulnerability; such attacks simply tend to target the most popular systems.

Over the past couple of years, PHP has become an increasingly popular language for Web sites that don't want to invest in expensive Web server operating system licenses such as Windows 2000 Server or Windows 2003 Server. PHP is a free server-side scripting language, much like ASP, that can run on either Windows or Linux. When combined with a database back end like MySQL (also available in a free incarnation) these two tools make a powerful suite that you can use to build dynamic, data driven Web sites.

Perhaps as a result of its growing popularity, PHP is under attack from virus and worm writers. A recently discovered, major security hole in the language has brought about many attacks upon Web sites built with PHP or tools that have been written in PHP, such as the popular phpBB bulletin board software. It is important to point out that describing something like this as a "hole" sounds critical of the design, but that's not usually the case. Generally, a security hole in a computer language, application, or platform occurs when someone finds an unforeseen use for a feature. Calling an unforeseen use a design flaw is analogous to insisting that a hammer's design is flawed because it can be used as a weapon as well as to drive nails.

The feature of PHP that has led to the proliferation of worms such as Santy (now PHPInclude) is that a PHP script can "include" another script. This is very commonly (and properly) used because it allows a single PHP script to contain shared functions. That script is then "included" in other scripts that need access to the shared functions. The script file inc.php (see Listing 1) contains a simple function called addOne, which as its name suggests, adds 1 to the input parameter and returns the answer.

<?php
function addOne($in)
{
$out = $in + 1;
return $out;
}
?>

The script file page.php (see Listing 2) is an example of a page on your Web server that a client would call, passing in a numeric parameter, which would then have 1 added to it. The first line of Listing 2 contains a line that includes the code from Listing 1, showing how you can make the addOne function available from other pages without copying it every time.

Figure 1. Page.php in Action: The client passed a value of 7 to the page, which calls included addOne() function and displays the result.

Figure 1 shows an example of page.php in action. Note that the client passed the num parameter in the address line as num=7. As shown in Listing 2, the page.php code calls the included addOne function, which adds 1 to the passed value, and returns the result. The page then writes out the resulting value of 8.

Author's Note: While this article discusses the "include" keyword, the same issues arise with the "require" keyword, which behaves in an almost identical manner. The difference between these keywords is when the path to the target file can not be resolved, include throws a warning, while require causes a fatal error.